Collaborative analytics for independently administered network domains

What is claimed is: 1. A method comprising: receiving, at a central server from a first network security appliance, a first analytics set performed on the first network security appliance operated internal to a first organization; processing, at the central server, the first analytics set to obtain a recommended subsequent analytics selection; receiving, at the central server from a second network security appliance, an initial analytics selection associated with a second analytics set performed on the second network security appliance operated internal to a second organization; responsive to receiving the initial analytics selection, disseminating from the central server to the second network security appliance the recommended subsequent analytics selection, without revealing an identity of the first organization; wherein at least a portion of the first analytics set is organized in a search tree, the search tree comprising a lead value and an audit trail, the lead value representing a user token and a time, the user token being associated with one or more network administrators of the first organization performing one or more actions in the audit trail, the time being associated with performance of the one or more actions in the audit trail; and wherein the recommended subsequent analytics selection is based at least in part on: (i) a reputation of the one or more network administrators associated with the user token; and (ii) the time associated with performance of the one or more actions in the audit trail. 2. The method of claim 1 , wherein at least part of the first analytics set or the initial analytics selections is hashed. 3. The method of claim 1 , wherein the first analytics set comprises an indication of activity of at least one network administrator responsible for network security for the first organization. 4. The method of claim 1 , wherein disseminating to the second network security appliance the recommended subsequent analytics selection, without revealing an identity of the first organization comprises sending an alert to the second network security appliance. 5. The method of claim 4 , further comprising receiving a message from the second network security appliance in response to the alert. 6. The method of claim 1 , wherein the first analytics set and the initial analytics selection indicate at least one of an order in which the one or more network administrators performed individual operations of the first analytics set or the initial analytics selection, or a velocity at which the one or more network administrators performed individual operations of the first analytics set or the initial analytics selection. 7. The method of claim 1 , further comprising creating a recommendation for network administrators other than network administrators of the first organization and the second organization, the recommendation being based on the first analytics set or the initial analytics selection. 8. The method of claim 7 , wherein creating the recommendation is based on a reputation of the one or more network administrators who generated the first analytics set or the initial analytics selection. 9. The method of claim 1 , further comprising organizing the initial analytics selection in another search tree. 10. The method of claim 1 , wherein the search tree comprises a Merkle tree. 11. An apparatus configured to share security analytics among a plurality of security network appliances deployed in respective network domains, the apparatus comprising: a processor; a network interface configured to receive a first analytics set and an initial analytics selection associated with a second analytics set from, respectively, a first network domain and a second network domain; and a memory, storing logic instructions, which, when executed by the processor, are configured to: process the first analytics set to obtain a recommended subsequent analytics selection; and in response to receiving the initial analytics selection, disseminate to the second network domain the recommended subsequent analytics selection, without revealing an identity of the first network domain; wherein at least a portion of the first analytics set is organized in a search tree, the search tree comprising a lead value and an audit trail, the lead value representing a user token and a time, the user token being associated with one or more network administrators of the first organization performing one or more actions in the audit trail, the time being associated with performance of the one or more actions in the audit trail; and wherein the recommended subsequent analytics selection is based at least in part on: (i) a reputation of the one or more network administrators associated with the user token; and (ii) the time associated with performance of the one or more actions in the audit trail. 12. The apparatus of claim 11 , wherein at least part of the first analytics set or the initial analytics selection is hashed. 13. The apparatus of claim 11 , wherein the first analytics set comprises an indication of activity of at least one network administrator responsible for network security for the first network domain. 14. The apparatus of claim 11 , wherein the logic instructions, which, when executed by the processor, are further configured to send an alert to the second network domain. 15. The apparatus of claim 14 , wherein the logic instructions, which, when executed by the processor, are further configured to receive a message from the second network domain in response to the alert. 16. The apparatus of claim 11 , wherein the first analytics set and the initial analytics selection comprise at least one of an order in which the one or more network administrators performed security analytics, or a velocity at which the one or more network administrators performed security analytics. 17. The apparatus of claim 11 , wherein the logic instructions, which, when executed by the processor, are further configured to create a recommendation to network administrators other than network administrators of the first organization and the second organization, the recommendation being based on the first analytics set or the initial analytics selection. 18. A computer program product comprising a non-transitory computer-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device: to receive, from a first network security appliance, a first analytics set performed on the first network security appliance operated internal to a first organization; to process the first analytics set to obtain a recommended subsequent analytics selection; to receive, from a second network security appliance, an initial analytics selection associated with a second analytics set performed on the second network security appliance operated internal to a second organization; responsive to receiving the initial analytics selection, to disseminate to the second network security appliance the recommended subsequent analytics selection, without revealing an identity of the first organization; wherein at least a portion of the first analytics set is organized in a search tree, the search tree comprising a lead value and an audit trail, the lead value representing a user token and a time, the user token being associated with one or more network administrators of the first organization performing one or more actions in the audit trail, the time being associated with performance